Fingerprinting Computers – Part I – Your browser.

Authentication is about the only big open problem in the practice of internet security. The existing encryption and hashing algorithms as well as the key generation/management protocols offer a high degree of security, barring programming/implementation errors.
Authentication technologies face serious challenges mainly because identity is difficult to establish with a 100% certainty even using physical characteristics, i.e., signatures and credentials can be forged, the physical appearance of people can be manipulated, etc.
Read more of this post


It didn’t take very long… [UPDATED]

for my prediction to become a reality.
PC world reported on Feb 18 that a bunch of websites, only 84,000, were taken down “accidentally” by the ICE.
I have zero sympathy for people who uses the web to steal or commit morally reprehensible acts, however, if I can anticipate the heavy damage that a government agency with the power to shut down internet domains can unleash on hardworking and honest people,you cannot convince me that the legislators cannot figure this was bound to happen. Obviously they don’t care about the consequences of their grandstanding have for the rest of us mortals. And at the end of the day, shutting down websites doesn’t stop the traffic of child pornography or stolen intellectual property, it is just a nuisance for the bad guys that now need to go and setup another channel.
The danger for the rest of us is this, if we trust the government, any government, with the switch to the Internet, how long before the shutting down of domains is used as a way to silence dissent?
Oh wait! It did already happened? That was another prediction that turned to be right!


Check this Hall of Shame page at the EFF

SSL 3.0 / TLS subjected to Man in the Middle Attack

An “Authentication Gap” was discovered in the latest version of SSL/TLS protocol.This could potentially be a huge problem. The gap is not due to some erroneous implementation, it is a property of the protocol.

Here is a list of links to websites where the issue is being followed:

IETF resources

Red Hat

The end of the road for MD5 signed SSL Certificates

X.509 certificates signed by Certificate Authorities that use MD5 function are certainly going to disappear form the Internet as flaws on the MD5 were successfully exploited to generate a rogue certificate that would be considered as valid by all browsers.

The proof of concept was recently published by A. Sotirov et al. , although the basis for the hack has been know for a few years know. The researchers exploited collisions (two different strings that hash to the same value) in the MD5 and the fact that CAs use a sequential numbering of certificates upon issuance.

News that SSL is broken are exaggerated as many CA are already using SHA-1 (a stronger hash function) and the ones that were using MD5 are switching quickly after publication of the flaw.  

See also: